A Bold Move To OpenID

Published December 12th, 2008

❦

After deleting thousands of spam comments every week, I got fed up. I went looking for a way to eliminate spam all together. There are many different approaches that work at completely destroying spam bots A Honey Pot, a Habari plugin by Sean Coates, that adds a CSS hidden field that only bots would fill in; encoding the “action” URL, and input elements names and ids of the submitting form, a technique used by Prof. Sneddy, killing all spam bots which don’t use an HTML parser (which is all of them). There are others, but those are two that I find work reliably.

The above mentioned methods, however, do not provide any way to authenticate the identity of the submitting comment author. In comes OpenID. Using OpenID to authenticate that the commenter is who they say they are, allows us to ensure that only valid comments are submitted. Since I haven’t seen a spam bot with an OpenID, this will absolutely stop them in their tracks.

OpenID also allows to use heuristics to determine which OpenIDs can be trusted, and which can be blacklisted. Since every commenter has a unique authenticated OpenID, we can reliably trust repeat commenters and push their comments through the moderation queue; at the same time, not trust blacklisted OpenIDs, deleting them immediately, without needing any human interaction to reliably do so.

I’ve decide to jump head first into the deep end, and only allow comments to be submitted using an OpenID Identifier. This means, that if you want submit a comment on my site, you must have an OpenID. There are many people who do not have an OpenID yet, but for your protection, and mine, I would highly recommend you go out and get one now.

I use Verisign’s PIP service for my OpenID provider. The service is still in “beta” (whatever that means nowadays) but I would highly recommend it. They even provide phishing detection, and “Strong Authentication” methods, including Browser Certificates, and their VIP Credetial. Go sign up!